0:00:00.000,0:00:12.256
rC3 preroll music
0:00:12.256,0:00:18.400
Herald: Now, our next talk is Hacking[br]German elections, insecure electronic
0:00:18.400,0:00:23.600
voting count, vote counting, how it[br]returned and why you don't even know about
0:00:23.600,0:00:32.330
it. For the Germans listening here, did[br]you noticed that in Germany, voting became
0:00:32.330,0:00:37.647
more electronic recently? In case you're[br]out of Germany. I do live in Germany and I
0:00:37.647,0:00:43.200
did not notice that myself. However, both[br]of our speakers volunteered as election
0:00:43.200,0:00:50.080
workers in Germany and research on the[br]topic of security for elections. And they
0:00:50.080,0:00:56.630
promised to tell us how this can be, how[br]elections can be made more secure again.
0:00:56.630,0:01:01.680
Our speakers are Tobias, he is an IT-[br]Security researcher focusing on offensive
0:01:01.680,0:01:07.120
security, automotive security and capture[br]the flag challenges. And Johannes. He's a
0:01:07.120,0:01:11.960
post-doctoral IT-Security researcher and[br]both work together at the
0:01:11.960,0:01:18.528
Fraunhofer AISEC Institute.[br]Enjoy the talk.
0:01:18.528,0:01:24.722
Stille
0:01:24.722,0:01:29.450
Johannes: Hello and welcome to our[br]presentation on Hacking German Elections.
0:01:29.450,0:01:33.840
Insecure electronic vote counting, how it[br]returned and why you don't even know about
0:01:33.840,0:01:39.840
it. My name is Johannes Obermaier[br]Tobias: and I am Tobias Madl. We are both
0:01:39.840,0:01:44.720
very much involved in elections in Bavaria[br]because we're election workers and offer
0:01:44.720,0:01:49.200
support here in Germany.[br]J: And we are offensive IT-Security
0:01:49.200,0:01:52.778
researchers.[br]T: First of all, we want to talk about the
0:01:52.778,0:01:59.554
scope we are presenting today. We got our[br]information and the software from today,
0:01:59.554,0:02:06.048
from the municipal elections in Bavaria[br]happening in the early 2020. And it was a
0:02:06.048,0:02:12.237
computer based vote counting technology.[br]So we were very concerned, when we
0:02:12.237,0:02:16.620
interacted with it. And in the end, we[br]featured the questions, are elections
0:02:16.620,0:02:24.025
still secure? Next, I presented the[br]outline we are talking about today, and
0:02:24.025,0:02:28.862
first of all, we are looking at the[br]electronic vote counting system. And next,
0:02:28.862,0:02:34.425
we identified some conceptual and[br]practical issues with this technology.
0:02:34.735,0:02:40.626
Afterwards, we also inspected the software[br]and found some insecurities. And in the
0:02:40.626,0:02:46.727
end, we have summary and conclude our[br]presentation.
0:02:46.727,0:02:52.060
J: To understand why we need electronic[br]vote counting, let's just have a look at
0:02:52.060,0:02:57.766
the voting ballot. This voting ballot is[br]in its paper form about one meter wide and
0:02:57.766,0:03:03.466
50 centimeters high. So, that's a quite a[br]large ballot, that's a lot of candidates.
0:03:03.466,0:03:11.091
Let's just sum up the facts. So, we have a[br]total of 599 candidates that are spread
0:03:11.091,0:03:17.287
out over nine parties. Each citizen is[br]allowed to cast up to 70 votes in this
0:03:17.287,0:03:23.150
election. So, that sounds simple, but it[br]gets even more complicated now, because
0:03:23.150,0:03:28.616
you can cast up to three votes per[br]candidate and you can even choose multiple
0:03:28.616,0:03:35.572
candidates of different parties up to your[br]70 votes. And even if you decide yourself
0:03:35.572,0:03:40.771
to vote for a single party, you can still[br]strike out candidate that you personally
0:03:40.771,0:03:46.142
don't like. And so they don't get any[br]votes from your ballot. That means, this
0:03:46.142,0:03:51.984
voting system gives a lot of power to the[br]citizens and voting is fun.
0:03:51.984,0:03:57.902
However, counting out those ballots is very[br]difficult because you need to know a lot
0:03:57.902,0:04:03.986
of special rules in this voting system to[br]really count each ballot correctly. That's
0:04:03.986,0:04:09.320
the reason that a software such as OK.VOTE[br]has been developed. OK.VOTE is a typical
0:04:09.320,0:04:15.154
software for elections that's also used in[br]the polling stations for vote counting.
0:04:15.154,0:04:20.478
So, OK.VOTE has a quite large market[br]share. They say they have a like 75% in
0:04:20.478,0:04:26.112
Germany. So that software is used in[br]several states. OK. VOTE has several
0:04:26.112,0:04:32.114
different modules for organizing[br]elections, for example. But what we know
0:04:32.114,0:04:40.082
have a look at in this talk is only the[br]vote counting module of OK.VOTE Where the
0:04:40.082,0:04:47.328
election voters insert each paper ballot[br]and manually type it in all the votes in
0:04:47.328,0:04:52.928
each ballot and then they are stored in[br]the computer system. So, and the task of
0:04:52.928,0:04:58.734
OK.VOTE is to process each ballot to count[br]the votes, to find out if the ballot is
0:04:58.734,0:05:03.708
correct, then it stores all the ballots[br]into its database and finally it does some
0:05:03.708,0:05:10.065
magic and computes the final result. So,[br]this sounds quite similar to what a voting
0:05:10.065,0:05:17.592
machine does. But wait a moment. Voting[br]machines, in my Germany?
0:05:17.592,0:05:22.585
T: Wait, that's illegal.[br]J: Is it really illegal? Let's have a look
0:05:22.585,0:05:29.618
at the legal regulations about it. So,[br]yes, in 2009, there was an important
0:05:29.618,0:05:35.258
decision by the German federal[br]constitutional court and they said, that
0:05:35.258,0:05:40.474
the use of voting computers in the 2005[br]Bundestag election was unconstitutional.
0:05:40.474,0:05:48.755
Because, for example, the voting computers were [br]not transparently enough. So, that is very
0:05:48.755,0:05:54.393
similar to that what we have also found[br]for the municipal elections. But wait, we
0:05:54.393,0:05:58.564
are here talking about the Bundestag[br]election. But this is the municipal
0:05:58.564,0:06:03.430
election and we have different rules for[br]the municipal elections. For example,
0:06:03.430,0:06:10.374
there is the GLKrWO, that's the Gemeinde-[br]und Landkreiswahlordnung Bayern,
0:06:10.374,0:06:16.605
which basically translates to the Bavarian[br]municipal election rules. And those rules
0:06:16.605,0:06:23.009
say, that we are indeed not allowed to use[br]a computer for voting, but computers can
0:06:23.009,0:06:29.417
be used for vote counting. So, and in this[br]situation, I would expect, that we have
0:06:29.417,0:06:35.686
some sort of security requirements there[br]in those regulations. But I try to find
0:06:35.686,0:06:40.713
them. And I was really surprised. There[br]are exactly zero.
0:06:40.713,0:06:45.370
T: So, if there are no legal requirements, [br]are there at least any software side
0:06:45.370,0:06:50.590
requirements or certifications for [br]OK.VOTE which promise some security?
0:06:50.590,0:06:55.813
J: Yes, there are. So, I had a look at the[br]website and I saw this nice little
0:06:55.813,0:07:03.127
paragraph here. And it says, Elections[br]with security and during the development
0:07:03.127,0:07:10.540
of OK.VOTE, they put the highest emphasis[br]on the topic security. They follow the BSI
0:07:10.540,0:07:16.193
and OWASP recommendations on security, and[br]they have a certified data center with
0:07:16.193,0:07:20.540
very high security standards[br]T: And how does this look like in
0:07:20.540,0:07:23.507
practice?[br]J: Oh, I rather would not show you this
0:07:23.507,0:07:29.597
here. It's it's really scary. This is what[br]I have seen here, when I walked in the
0:07:29.597,0:07:33.909
election room. This is not a stock photo.[br]I took this photo myself and this is the
0:07:33.909,0:07:40.187
reality. So, I walked up to the guys and[br]said, well, shall we really use these
0:07:40.187,0:07:44.069
computers to count out the elections and[br]they said, yes, that are the computers
0:07:44.069,0:07:50.037
that are available here. So, and I pray to[br]God that for some reason does not work
0:07:50.037,0:07:55.102
out. And Windows XP did not disappoint me[br]because when I tried to start the
0:07:55.102,0:08:02.812
software, it failed because that are 32[br]bit systems and OK.VOTE needs 64 bits. So,
0:08:02.812,0:08:09.354
yeah, that was great. So, we did not use[br]that Windows XP machine. So, instead we
0:08:09.354,0:08:14.331
had to search for another machine and came[br]across this one here. That's a Windows 10
0:08:14.331,0:08:20.749
machine. That's fine. However, it has an[br]outdated virus scanner. So, well, it it's
0:08:20.749,0:08:26.916
better than nothing. So, this machine was[br]used instead then. So, but just let's keep
0:08:26.916,0:08:34.246
in mind what they are promising us:[br]election security. We really doubt that.
0:08:34.726,0:08:39.503
Let's now look at the IT environment and[br]why it came to that situation. So, first
0:08:39.503,0:08:46.211
of all, this is not fully the fault of[br]OK.VOTE, because it's the task for the
0:08:46.211,0:08:53.682
local administration to provide hardware[br]for vote counting and AKDB, the vendors of
0:08:53.682,0:08:59.771
OK.VOTE say, that they recommend to use[br]secure administration computers. That's
0:08:59.771,0:09:05.515
fine so far, but we simply don't have[br]enough secure administration computers for
0:09:05.515,0:09:10.845
that purpose. So, for example, in the town[br]where I'm from, we needed around 8
0:09:10.845,0:09:16.571
computers to count out this election and[br]we simply did not have enough in the town
0:09:16.571,0:09:23.211
hall. And whats even more, the election[br]room, it was in a school and there are
0:09:23.211,0:09:27.923
already school PCs available there. So,[br]they were just using the school PCs. So,
0:09:27.923,0:09:33.520
and those were even elementary school[br]computers. So, I'm not really sure about,
0:09:33.520,0:09:38.466
if all the pupils know, which link they[br]are allowed to click and which one they
0:09:38.466,0:09:43.991
should rather not click on. So, this[br]systems might be insecure, there might be
0:09:43.991,0:09:49.038
malware within, and even if it's possible[br]that someone had manipulated them in
0:09:49.038,0:09:55.854
advance, we cannot really exclude that.[br]However, I don't want to blame the
0:09:55.854,0:10:00.058
administration here because they did a[br]great job in organizing this election.
0:10:00.058,0:10:05.967
It's really much to do for them and it did[br]really well. So, everything worked out
0:10:05.967,0:10:12.283
well at the end. However, they are no IT-[br]Security specialists and we cannot demand
0:10:12.283,0:10:18.532
from them, that they know each detail on[br]how to set up a system correctly and what
0:10:18.532,0:10:24.045
are the risks that are associated with[br]insecure computer systems in elections?
0:10:24.045,0:10:29.890
That's just not their job. So, however, we[br]still ended up with untrustworthy systems
0:10:29.890,0:10:36.069
here. Because, as we have seen before,[br]there are no legal regulations against it.
0:10:36.069,0:10:40.108
Now, let's see how we create a digital[br]result.
0:10:40.108,0:10:47.214
T: Exactly. So, we went to our voting[br]places. We were presented with each one
0:10:47.214,0:10:52.811
got a PC and we got the ballot stack we[br]had to count and then enter the results.
0:10:52.811,0:10:59.468
So, Johannes is Team 2 and I was Team 1[br]and we started entering the ballots in the
0:10:59.468,0:11:06.232
PC. And from this on, they were digitized[br]Team 1 in green and Team 2 in blue.
0:11:06.232,0:11:11.103
J: As soon as I was finished entering my[br]ballots, I put them on a USB drive and
0:11:11.103,0:11:16.735
handed them over to Team 1.[br]T: Exactly. I imported these votes,
0:11:16.735,0:11:22.094
because I was the master machine at this[br]time, and the OK.VOTE software then
0:11:22.094,0:11:28.578
finalised these voting elections and[br]exported their results finally again on an
0:11:28.578,0:11:34.055
USB stick. And these were then delivered[br]on for further processing.
0:11:34.055,0:11:39.160
J: What is the problem with that all?[br]First of all, there's a lot of
0:11:39.160,0:11:43.301
intransparency. So, for example, the[br]software that is being used for vote
0:11:43.301,0:11:49.171
counting, OK.VOTE, it's not an open source[br]software. It's closed source and nobody
0:11:49.171,0:11:55.572
was able to analyze this yet. So, and[br]since this is closed source software, it
0:11:55.572,0:12:00.433
is also very hard to understand how the[br]software works and if it really counts
0:12:00.433,0:12:05.192
correctly, Because we have, in the end, we[br]have hundreds of ballots there and it's
0:12:05.192,0:12:10.217
really difficult to tell, if they have,[br]indeed, been counted correctly. So, and
0:12:10.217,0:12:16.887
although we have seen this before, there[br]is no basis for a secure vote counting, if
0:12:16.887,0:12:22.264
we have possibly rigged computer system.[br]So, we cannot exclude that someone has
0:12:22.264,0:12:29.346
manipulated them pre-election wise. So, if[br]there is some manipulation, this would
0:12:29.346,0:12:34.988
hardly be detectable by a standard[br]election worker. So, this means that the
0:12:34.988,0:12:40.947
entire election process becomes very[br]intransparent and hard to understand for a
0:12:40.947,0:12:46.460
person who just wants to observe the[br]election. So, that is strictly against the
0:12:46.460,0:12:52.953
idea of a public counting of votes.[br]T: So, now let's talk about the step that
0:12:52.953,0:12:58.323
happens after we finish counting [br]in each of the teams.
0:12:58.323,0:13:02.038
J: So, what do you do after you have[br]exported the final election results?
0:13:02.038,0:13:04.581
How do they come to the [br]central administration?
0:13:04.581,0:13:10.666
T: Yeah, I've just entered my vehicle and[br]took the USB sticks in my pocket and drove
0:13:10.666,0:13:17.868
to the master PC. But, as you maybe know,[br]Election Day is always very busy day and
0:13:17.868,0:13:24.386
might some teams are slower at counting.[br]Some teams are faster. So, the master team
0:13:24.386,0:13:29.052
doesn't know when these USB sticks arrive.[br]If they take two or three hours or half an
0:13:29.052,0:13:33.191
hour, they don't know really. So, I could[br]just go and grab something to eat on my
0:13:33.191,0:13:39.311
way. Or I can manipulate the vote. I mean,[br]deliver the votes. And yeah, in the end,
0:13:39.311,0:13:44.307
one day, when I arrive at the master PC, I[br]just give them my USB stick, they enter it
0:13:44.307,0:13:48.340
and they take the data that is stored on[br]there and nothing else. And afterwards,
0:13:48.340,0:13:52.574
they just uploaded the final [br]results on the page.
0:13:52.574,0:13:59.035
J: Now you might think, why is it possible[br]for him to manipulate election results?
0:13:59.035,0:14:04.844
Because there's no authenticity. There's[br]only integrity protection of the file that
0:14:04.844,0:14:10.388
he is transporting. So some CRC32 and a[br]SHA hash, but nothing like a cryptographic
0:14:10.388,0:14:16.464
signature. So, even if he alters the data,[br]he can just regenerate all the integrity
0:14:16.464,0:14:22.089
protection data and the data will just be[br]accepted. So, the main issue here is also,
0:14:22.089,0:14:28.508
that this is one of the few spots where[br]only a single person has unsupervised
0:14:28.508,0:14:34.268
access to the data during transport of the[br]voting data at all. And that makes
0:14:34.268,0:14:39.255
manipulations possible and easily feasible[br]in this case. And that should not be the
0:14:39.255,0:14:48.145
case, especially in an electronically[br]supported election. Now, let's have a look
0:14:48.145,0:14:52.487
at the vote counting software itself,[br]because there we found even more
0:14:52.487,0:14:55.962
interesting results.[br]T: Exactly. Let's begin with the system
0:14:55.962,0:15:01.951
architecture. First of all, this is the[br]local or decentralized version of the
0:15:01.951,0:15:08.008
software system. So all this is taking [br]place on the local host, on the machine we
0:15:08.008,0:15:13.154
encountered in the lecture rooms and on [br]these machines, where it was an Apache Tomcat
0:15:13.154,0:15:18.011
Web server running, which was connected to[br]a MariaDB, and the user was interacting
0:15:18.011,0:15:25.414
with the voting system via a portable[br]Firefox and as AKDB said in before they
0:15:25.414,0:15:33.166
were very concerned with security. So,[br]let's think about what attackers are they
0:15:33.166,0:15:38.349
had in mind when they designed the system[br]and from which the system is to protect
0:15:38.349,0:15:44.342
from. Is it the user that maybe attacks[br]the system, the vote count system, which
0:15:44.342,0:15:51.336
is normally just election workers that are[br]on their free time there to help executing
0:15:51.336,0:15:57.549
the election, or are they having the[br]network attackers in minds that come from
0:15:57.549,0:16:03.077
completely different places and try to[br]manipulate the network from outside? First
0:16:03.077,0:16:09.895
of all, we took the user as one of the[br]possible attackers. And even in this
0:16:09.895,0:16:15.412
environment, we found some really broken[br]stuff. First of all a broken access
0:16:15.412,0:16:20.525
control. But how it's how it's all about.[br]Well, that's the log in page when we just
0:16:20.525,0:16:26.630
logged in our voting system and clicked on[br]administration page where we can change
0:16:26.630,0:16:31.467
our password and edit our profile. These[br]are the buttons on the left. And as you
0:16:31.467,0:16:36.585
can see, we are clearly logged in as the[br]user42. And there is no more things to do
0:16:36.585,0:16:42.976
than select which counting part we want [br]to do, the general regional vote or the
0:16:42.976,0:16:48.223
municipal votes. And that's all we can [br]do on this page. Now let's switch to the
0:16:48.223,0:16:53.726
system administrator. There we have the [br]admin account, as you can see on the left
0:16:53.726,0:17:00.193
upper side, where we can now do very much[br]more than the normal user. We are again on
0:17:00.193,0:17:04.483
the administration page, but now we have[br]the user administration where we can
0:17:04.483,0:17:12.495
create or delete users. We have the reopen[br]or close voting mechanisms. We have
0:17:12.495,0:17:18.471
imports, we have exports and also what's[br]not included in the screenshots submenus
0:17:18.471,0:17:25.003
like deleting finalized results or and so[br]on. So, we picked out two very interesting
0:17:25.003,0:17:31.602
URLs for you. First of all, we are taking[br]the "Bezirk wieder eröffnen" which is
0:17:31.602,0:17:36.360
translated just to reopen the election[br]after election as closed at normal. It's
0:17:36.360,0:17:41.296
normally finalized, so no more votes can[br]be entered in the system. And the other
0:17:41.296,0:17:46.709
link is "Löschen". So that translates to[br]delete data, which then in the end deletes
0:17:46.709,0:17:53.156
all the data from from the machine. So, no[br]more private or secure data is stored on
0:17:53.156,0:17:59.470
there. And this is what they look like[br]when we only open them on the left side.
0:17:59.470,0:18:04.428
We see to reopen dialog. On the right[br]side, we see the data delete. But wait,
0:18:04.428,0:18:12.609
this is not the admin view, this is the[br]user view. So, they did not check if this
0:18:12.609,0:18:18.184
user is even allowed. And we also have to[br]say, that this is not just the view of it,
0:18:18.184,0:18:22.008
it is fully working and is completely[br]functional, when you just go through the
0:18:22.008,0:18:25.533
process of deleting or reopening as an[br]election.
0:18:25.533,0:18:29.296
Alarm sound[br]J: What's the problem with that?
0:18:29.296,0:18:33.754
T: Yeah, as you maybe already guessed,[br]reopening elections could create a
0:18:33.754,0:18:38.529
probability of sneaking in some additional[br]votes for the candidate I favor and
0:18:38.529,0:18:44.795
additionally, if I want to mess with all[br]of the voting, I could just delete all the
0:18:44.795,0:18:50.043
election data and we would have to start[br]from the beginning and completely delay or
0:18:50.043,0:18:53.422
deny the voting.[br]J: But why is this even possible?
0:18:53.422,0:18:59.710
T: Yeah, we found out that this is their[br]access control check in their software
0:18:59.710,0:19:05.694
this function is called getZugriffRollen,[br]which translates to get access roles. So
0:19:05.694,0:19:10.859
normally there will also be the software[br]in place to check if this role is allowed
0:19:10.859,0:19:15.304
to access this kind of site. But they just[br]returned null and not implemented it.
0:19:15.304,0:19:21.863
And that's also nice work to implement[br]access control. However, I think we can
0:19:21.863,0:19:27.422
propose some mechanisms that could have[br]prevented this. First of all, hidden
0:19:27.422,0:19:33.174
information is nothing you could rely on.[br]If you just don't show where you can click
0:19:33.174,0:19:38.835
to get to this url or to this page. That's[br]not really secret because maybe you find
0:19:38.835,0:19:43.488
some leaked source code or you make sure[br]serving at an admin or you just by
0:19:43.488,0:19:48.774
accident type in the wrong url and get to[br]this hidden information. Or you, exactly,
0:19:48.774,0:19:54.505
use software scanners to find something[br]hidden. So hidden data is just not secure.
0:19:54.505,0:19:59.009
And on the other hand, you should finalize[br]your implementation of access control to
0:19:59.009,0:20:03.394
have access control and even test it [br]once to be sure that it works. So in the
0:20:03.394,0:20:07.678
end we can conclude that hidden [br]data is not protected data.
0:20:07.678,0:20:11.802
T: Let's now come to another type of[br]attacks. Cross-site attacks. A cross-site
0:20:11.802,0:20:17.009
attack is some sort of interference[br]between two websites. Where one website,
0:20:17.009,0:20:21.862
for example, tries to do something on[br]behalf of the other. The goal is often to
0:20:21.862,0:20:27.052
deceit the user or to trigger the[br]manipulations. First of all, we were quite
0:20:27.052,0:20:33.217
sure that they have thought of cross-site[br]attacks. Because doing our testing, we saw
0:20:33.217,0:20:39.979
that they included some HTTP-Headers that[br]target a wide range of attack vectors that
0:20:39.979,0:20:45.140
use Cross-site scripting attacks. For[br]example, here we have X-Frame-Options:
0:20:45.140,0:20:52.179
same origin. That means that other pages[br]can not include the voting software into
0:20:52.179,0:20:56.608
their own frames and so on. And also[br]cross-site scripting protection is enabled
0:20:56.608,0:21:03.739
via X-XXS-Protection. So this looks quite[br]good because this already excludes several
0:21:03.739,0:21:10.328
attack vectors. But how about cross-site[br]request forgery? When we first tested
0:21:10.328,0:21:16.157
this, we found out that the vote counting[br]system is not fully protected against it.
0:21:16.157,0:21:21.490
What is cross-site request forgery? So in[br]the first step, the election worker uses
0:21:21.490,0:21:26.566
the integrated Firefox Browser to accept [br]a malicious website. So the user is
0:21:26.566,0:21:31.965
triggered to visit this website. For[br]example, someone sent him a link triggered
0:21:31.965,0:21:37.805
him to click on the link by the promise,[br]for example, of a cute animal picture or
0:21:37.805,0:21:43.088
some sort of that. And then the user[br]visits this website. And this website
0:21:43.088,0:21:47.972
contains form fields that resemble the[br]form fields of the actual vote counting
0:21:47.972,0:21:53.890
software. And the malicious website now[br]triggers your browser to submit this form
0:21:53.890,0:21:59.576
data, not to the original website, but[br]rather to the vote counting software. And
0:21:59.576,0:22:04.489
as soon as it reaches the Tomcat web[br]server, the web server is confused.
0:22:04.489,0:22:11.266
Because the web server cannot discern the[br]input from the cross-site attack from the
0:22:11.266,0:22:15.432
malicious website from original user[br]input. And then the Apache Tomcat server
0:22:15.432,0:22:20.482
just thinks that this is original user[br]input and will process it. And that's
0:22:20.482,0:22:25.550
called a cross-site request forgery[br]attack. So we saw that there is sometimes
0:22:25.550,0:22:31.360
a protection against this sort of attacks.[br]But many pages are not protected against
0:22:31.360,0:22:37.647
it. And that is very concerning because[br]that's a 2001's vulnerability. It's almost
0:22:37.647,0:22:43.873
20 years old now and it's still present in[br]such a software. So this is quite
0:22:43.873,0:22:49.950
unsettling here. Now, let's sum this up.[br]What we can do with it. So, first of all,
0:22:49.950,0:22:55.508
the issue is that they have missing CSRF[br]tokens or any other good countermeasure
0:22:55.508,0:23:00.456
against cross site request forgery[br]attacks. And the second point is here,
0:23:00.456,0:23:05.161
that only minimal user interaction is[br]required. The user often doesn't even see
0:23:05.161,0:23:11.233
that a cross-site request forgery attack[br]is currently being executed on his behalf.
0:23:11.233,0:23:15.695
So it's almost undetectable by the user.[br]And it's very simple to trick a user into
0:23:15.695,0:23:22.824
clicking a link. So the impact is very[br]devastating because we can now manipulate
0:23:22.824,0:23:29.414
settings in the vote counting software.[br]And we can even insert fake ballots here.
0:23:29.414,0:23:33.604
Alarm sound [br]T: So what's the result of this?
0:23:33.604,0:23:37.899
What we can do with it?[br]J: Well, we can manipulate the entire
0:23:37.899,0:23:42.534
election with this. Let's just use a demo.[br]How we do this.
0:23:42.534,0:23:45.009
T: Nice.[br]J: We are already logged in into the vote
0:23:45.009,0:23:54.763
counting system. Our username is[br]admin321934. Now let's count some votes.
0:23:54.763,0:23:59.625
As we can see here, these are all the[br]ballots that we can enter. They are still
0:23:59.625,0:24:07.226
empty since we haven't entered any ballots[br]yet. So let's start. For simplicity, we
0:24:07.226,0:24:12.337
just have two parties here. On the left[br]hand side we have the good party. Who
0:24:12.337,0:24:16.812
wants the best for the people. On the[br]right hand side we have the bad party
0:24:16.812,0:24:22.339
who wants to take power and is willing to[br]even commit election fraud. Let us begin
0:24:22.339,0:24:27.957
and enter the first paper ballot. The[br]person has voted for the good party. So we
0:24:27.957,0:24:37.867
enter this into the software. Now we save[br]the ballot and go to the next one. Again,
0:24:37.867,0:24:44.743
it's a vote for the good party. Let's[br]enter it and save it and go to the third
0:24:44.743,0:24:52.906
ballot. And again, it's for the good[br]party. Let's save our third ballot. Now we
0:24:52.906,0:24:59.870
go to the ballot overview and we look what[br]has happened. As you can see, we now have
0:24:59.870,0:25:05.244
three ballots that have successfully been[br]entered. At next, let's check the
0:25:05.244,0:25:11.353
preliminary election results. As we can[br]see here, we have a total of three ballots
0:25:11.353,0:25:15.983
that have been entered into the system.[br]That's correct. Three ballots contained
0:25:15.983,0:25:21.764
votes for the good party. That's also[br]correct. And zero votes have been given to
0:25:21.764,0:25:28.235
the bad party. That's fine so far. Next, I[br]will show you what happens if i open a
0:25:28.235,0:25:32.616
malicious website. This website will[br]execute a CSRF attack and manipulate the
0:25:32.616,0:25:38.335
election results. Let's just assume we[br]want to take a break and simply both
0:25:38.335,0:25:54.058
twitter. OK, here we are. There's a cute[br]cat picture and there's a link to even
0:25:54.058,0:26:02.388
more of them. Let's just play along and[br]get tricked into clicking that link. Oh,
0:26:02.388,0:26:08.001
look at all those cute animal pictures,[br]look a hungry rabbit, a monkey, a little
0:26:08.001,0:26:14.318
hedgehog and two cute goats and so on, and[br]when we are done browsing, we close those
0:26:14.318,0:26:23.343
tabs again and return to our vote counting[br]software. What we notice now is, that our
0:26:23.343,0:26:29.460
username has been altered and we just got[br]pwned. We were tricked into visiting this
0:26:29.460,0:26:34.599
malicious website. The website executed a[br]CSRF attack on the vote counting software
0:26:34.599,0:26:42.758
and did some manipulations. Let's see what[br]else has changed. However, all three
0:26:42.758,0:26:48.426
ballots are still there, but now we take a[br]look at the preliminary election results.
0:26:48.426,0:26:53.792
What you can see here is that the number[br]of ballots that are in the system has been
0:26:53.792,0:26:58.190
increased to eight. We now have five[br]additional ballots that were not entered
0:26:58.190,0:27:03.728
by us. As you can see, the good party[br]still has three votes. That is what we
0:27:03.728,0:27:09.531
have entered. But now the bad party has[br]taken the lead. They have five votes now.
0:27:09.531,0:27:15.648
This attack has indeed manipulated the[br]election results. This is really bad
0:27:15.648,0:27:21.111
because we cannot even see those[br]additional fake ballots that have been
0:27:21.111,0:27:26.789
injected. However, we are lucky because we[br]noticed it since we have expected this
0:27:26.789,0:27:32.288
attack. But we won't notice [br]it in every case.
0:27:33.563,0:27:39.124
T: But what happens if we don't notice?[br]J: Well, that happens. So, for this
0:27:39.124,0:27:44.213
example, we just assume that team 1 had[br]three ballots that they have entered into
0:27:44.213,0:27:48.247
the computer system and team 2 has six[br]ballots that have been entered into the
0:27:48.247,0:27:55.038
computer system. Now team one visits a[br]malicious website and five fake ballots
0:27:55.038,0:28:01.085
are injected into the election results. In[br]this case, the attacker is very smart and
0:28:01.085,0:28:06.498
injects the ballots at the location where[br]the team 2 ballots will be expected in the
0:28:06.498,0:28:14.209
future. So what happens now is: team 2[br]exports their ballots and team 1 tries to
0:28:14.209,0:28:20.736
import the ballots of team 2. And now the[br]following thing happens: Because there are
0:28:20.736,0:28:26.460
already ballots present at the location[br]where the team 2 ballots should go to, the
0:28:26.460,0:28:32.353
import process is not fully successful and[br]only a subset of the ballots are imported
0:28:32.353,0:28:37.955
so that the majority of the ballots into[br]this case, five or six ballots are just
0:28:37.955,0:28:42.483
discarded because they don't fit in the[br]database anymore because that location is
0:28:42.483,0:28:48.120
already taken by the fake ballots. So[br]usually we would expect that this can
0:28:48.120,0:28:52.786
generate an error message or at least a[br]warning. But this does not happen. This is
0:28:52.786,0:28:59.567
a silent failure of the software. And[br]what's even worst is now that the sums
0:28:59.567,0:29:04.639
finally are correct. So that means we now[br]have nine ballots present in the system
0:29:04.639,0:29:09.926
and nine paper ballots that were initially[br]available. So this looks like we have
0:29:09.926,0:29:14.250
entered all the ballots and everything[br]seems to be fine. So we will now close the
0:29:14.250,0:29:19.486
election and generate the final result.[br]And that is what happens now. As you can
0:29:19.486,0:29:25.624
see, we have only four votes for the good[br]party, but five votes for the bad party.
0:29:25.624,0:29:31.747
So the bad party has won the election by[br]manipulating the voting system, using this
0:29:31.747,0:29:38.272
CSRF attack. And that should never be[br]possible because this is not what we
0:29:38.272,0:29:45.812
expect for a voting software. And in this[br]case, the result is rigged. So have we
0:29:45.812,0:29:50.570
thought about network vulnerabilities?[br]T: Yeah, sure, that's exactly the other
0:29:50.570,0:29:55.010
side of the coin. First, we checked the[br]election worker side for attacks, but now
0:29:55.010,0:30:00.345
we checked the network side and scanned[br]and analyzed the system at first. And then
0:30:00.345,0:30:07.530
we looked like this: Open ports[br]everywhere. And as you can see, they fully
0:30:07.530,0:30:13.729
exposed the Apache Tomcat and the MariaDB[br]to each available network on the system.
0:30:13.729,0:30:19.010
And with this, we thought, well, let's maybe [br]try some newly discovered vulnerability,
0:30:19.010,0:30:25.090
which was recently found in 2020 called[br]Ghostcat. And Ghostcat is an attack
0:30:25.090,0:30:31.290
against AJP protocol from Apache. But[br]let's check the Apache system and how it's
0:30:31.290,0:30:37.780
built. First, Apache has a web root which[br]serves static resources and HTML or JSP
0:30:37.780,0:30:43.270
files. And additionally, it can include[br]class files or class sublets which are
0:30:43.270,0:30:48.979
combined with this JSPs or HTML files and[br]then served to the user. So we prepared
0:30:48.979,0:30:56.503
our ajpShooter with the URL of the[br]application, the port and the file we want
0:30:56.503,0:31:01.980
to read. In our case, it's a PrivateTest[br]class file because, what we
0:31:01.980,0:31:07.250
could leak about this, but we'll see. And[br]then we said we only want to read it
0:31:07.250,0:31:10.750
because there would even be the[br]possibility to evaluate it and execute the
0:31:10.750,0:31:17.600
code in it. So we've done this attack and[br]TADA we've got a result. This is the byte
0:31:17.600,0:31:22.510
code of the PrivateTest class. So let's[br]just drop this byte code in our cup of
0:31:22.510,0:31:29.132
coffee and maybe we can pull out some[br]source code from it. And yeah that's what
0:31:29.132,0:31:36.700
we've read out because why not. Just test[br]your encryption mechanism with the string.
0:31:36.700,0:31:42.020
But this is not a common string as you[br]later found out. This is the real root
0:31:42.020,0:31:45.661
productive password of the MariaDB. And[br]this was like:
0:31:45.661,0:31:51.775
Alarm sound[br]So what's the problem? As you maybe
0:31:51.775,0:31:56.850
clearly see with this attack, we could[br]leak out the login of the MariaDB and
0:31:56.850,0:32:02.363
probably even more logins or passwords.[br]And additionally, we could leak the whole
0:32:02.363,0:32:08.392
source code over the network without ever[br]accessing the PC in the election room. And
0:32:08.392,0:32:15.533
this was only possible because they[br]completely exposed all machines and
0:32:15.533,0:32:22.285
applications to the network and this[br]should never be the case. So in result:
0:32:22.285,0:32:26.902
How can this be prevented? First, you[br]should never expose these unneeded ports
0:32:26.902,0:32:31.445
to internet because they don't even use[br]the AJP proxy in their application, but
0:32:31.445,0:32:38.185
just left it on the 0.0.0.0 interface.[br]Next is: You should keep your software up
0:32:38.185,0:32:43.948
to date. That if some vulnerabilities were[br]found. You should not be vulnerable to it.
0:32:43.948,0:32:49.771
And last but not least: Never use[br]productive passwords in your unit tests
0:32:49.771,0:32:55.430
because that's not the best idea to do. In[br]the end, to sum it up: Avoid at all costs
0:32:55.430,0:33:01.316
any additional attack surface to prevent[br]these kind of attacks, even if you don't
0:33:01.316,0:33:04.671
know about them yet.[br]J: So, after Tobi has shown us a lot of
0:33:04.671,0:33:09.759
interesting and patchy stuff. I tested the[br]database for its security. For the first
0:33:09.759,0:33:14.918
analysis. I was just starting with the[br]same PC, but also the software was
0:33:14.918,0:33:20.154
installed and I tried to gain access to[br]the database. So it was coming from the
0:33:20.154,0:33:25.040
host localhost. I tried to use the[br]username root and then I saw that I am
0:33:25.040,0:33:29.723
asked for a password before I'm allowed to[br]connect to the database. However, finding
0:33:29.723,0:33:35.338
the password was quite trivial to do[br]because all the stuff I needed to know for
0:33:35.338,0:33:40.744
that was included in that last file and I[br]was able to decrypt the password without
0:33:40.744,0:33:46.397
any issue here. And that moment I realized[br]that also the password that Tobi has shown
0:33:46.397,0:33:51.313
us before, that he found with the Ghostcat[br]vulnerability is indeed the MySQL root
0:33:51.313,0:33:58.846
password here. So after I had access to[br]the MySQL system, I tried to dump the user
0:33:58.846,0:34:05.507
table to look which users are allowed to[br]access the database. So and that is how
0:34:05.507,0:34:11.357
the user table looks like. We have four[br]times the user root and the user root
0:34:11.357,0:34:16.576
requires a password if I'm coming from[br]localhost. But wait a moment. Here we also
0:34:16.576,0:34:23.840
have the host pci90309. And as you can see[br]here, there is no MySQL password
0:34:23.840,0:34:29.687
statement. That means that someone coming[br]from host pci90309 is almost allowed to
0:34:29.687,0:34:37.518
connect as root and does not even need to[br]provide any password for that. And thats
0:34:37.518,0:34:42.104
really strange.[br] Alarm sound
0:34:42.104,0:34:50.530
T: So what could happen from this?[br]J: Well, now someone on the network can
0:34:50.530,0:34:56.310
now just lump voting manipulation. That's[br]quite trivial because as soon as I set my
0:34:56.310,0:35:01.250
host to the correct hostname, I get full[br]access to the database where all my local
0:35:01.250,0:35:05.750
voting results are stored. And since I'm[br]root, I can interfer with them. I can
0:35:05.750,0:35:09.943
change them however I want to. And this[br]vulnerability is so damn weird and
0:35:09.943,0:35:16.850
trivial, it takes me no effort to do this[br]at all. And so we won't even go into a
0:35:16.850,0:35:22.770
demo here because it's so stupid simple in[br]this case. Usually I would say that's
0:35:22.770,0:35:28.370
enough for today because we already have[br]full access to the voting system and can
0:35:28.370,0:35:33.620
change whatever we want to. However, this[br]time we decided to go deeper because we
0:35:33.620,0:35:42.290
saw pci90309 is a real door opener. So we[br]have access to the voting results. We can
0:35:42.290,0:35:47.630
change them, but we still don't have[br]access to the entire voting system. So
0:35:47.630,0:35:52.186
what about the PC? Might it be possible,[br]with that root access to the database
0:35:52.186,0:35:59.840
server, to gain remote code execution at[br]that machine? So for this experiment, I
0:35:59.840,0:36:04.740
used the following setup. On the right hand[br]side we have a voting system with the
0:36:04.740,0:36:10.620
exposed MariaDB database server. On the[br]left hand side that's my system. I named
0:36:10.620,0:36:16.480
myself pci90309, just because i can do it,[br]and I establish a connection to the
0:36:16.480,0:36:23.927
MariaDB server. I use root as a username.[br]I don't need any password. And it is
0:36:23.927,0:36:30.119
immediately accepted. So now that I am[br]connected, I'm allowed to issue commands.
0:36:30.119,0:36:36.440
For example, I can now instruct MariaDB to[br]enable one of its plugins. This plugin is
0:36:36.440,0:36:42.390
called ha_connect. It's one of the plugins[br]that usually come directly with MariaDB.
0:36:42.390,0:36:49.980
And this is a very powerful MySQL storage[br]driver. So now I will show you what I can
0:36:49.980,0:36:57.020
do with that storage driver. So at next, I[br]will now create a table that's called pwn.
0:36:57.020,0:37:02.538
And I'm using the ha_connect storage[br]driver and instruct the storage driver to
0:37:02.538,0:37:09.470
create a file that's called pwn.dll and to[br]place it right into that plugin folder.
0:37:09.470,0:37:14.270
There is nothing that stops me from doing[br]so. So that is one of the special features
0:37:14.270,0:37:20.289
of the ha_connect storage driver, that I[br]can just say, this table is mapped to that
0:37:20.289,0:37:25.180
file in the file system. However, this[br]file is still empty because the table is
0:37:25.180,0:37:30.690
empty. But since this is a database, I can[br]now just issue INSERT INTO statements and
0:37:30.690,0:37:36.430
load whatever data I want to, for example,[br]some malicious DLL. I can just load into
0:37:36.430,0:37:41.270
the table, via that INSERT INTO a[br]statement, and then it is directly written
0:37:41.270,0:37:49.470
into our malicious DLL "pwn.dll". Ok, so[br]at next, after I've finished writing, I
0:37:49.470,0:37:55.060
will instruct MariaDB to enable this[br]plugin that I have just uploaded. And
0:37:55.060,0:38:00.447
enabling a plugin means that we are[br]executing the code that is stored in this
0:38:00.447,0:38:05.184
DLL file. So that means we have remote[br]code execution.
0:38:05.184,0:38:09.960
Alarm Sound [br]T: I don't even ask what you can with
0:38:09.960,0:38:14.410
remote code execution.[br]J: Well, I can do anything. So that means
0:38:14.410,0:38:19.870
I have no gate, full control over the[br]entire vote counting system. So I'm not
0:38:19.870,0:38:24.520
only talking about the data in the[br]database, I'm talking about the entire
0:38:24.520,0:38:30.040
computer that I can now fully control and[br]manipulate however I want to. And that's
0:38:30.040,0:38:35.580
possible, only by using the voting[br]software and accessing it over the network
0:38:35.580,0:38:41.080
interfaces that it had exposed. And now[br]I'll show you how simple this is to
0:38:41.080,0:38:49.720
execute an arbitrary program on the system.[br]T: This is the vote counting computer
0:38:49.720,0:39:01.575
system. To begin, let's start the vote[br]counting software. Now, the Apache Tomcat
0:39:01.575,0:39:07.733
Web server and the MariaDB database server[br]are being launched. Finally, the Firefox
0:39:07.733,0:39:14.598
portable is started. The system is now[br]ready for operation. But beware, the
0:39:14.598,0:39:21.954
attacker becomes active, his host name is[br]the infamous pci90309, immediately it
0:39:21.954,0:39:28.738
launches the python attack script[br]"fun.py". It connects to the MariaDB
0:39:28.738,0:39:34.845
server as root without a password and[br]uploads a malicious DLL plugin. When the
0:39:34.845,0:39:41.512
upload has been finished, the malicious[br]plugin is executed. As we can see, the
0:39:41.512,0:39:47.506
calculator was started thus remote code[br]execution was successful. The vote
0:39:47.506,0:39:52.869
counting computer system is now under[br]control of the attacker.
0:39:52.869,0:40:00.893
J: After we have found so devastating[br]issues with the vote counting Software, we
0:40:00.893,0:40:06.156
immediately notified the vendor AKDB[br]T: And they were very professional about
0:40:06.156,0:40:11.269
it and responded very quickly to our[br]initial emails. So we really like working
0:40:11.269,0:40:18.114
together with them and telling them our[br]results and they were always
0:40:18.114,0:40:23.340
positive about it. So they also[br]recommended some fixes.
0:40:23.340,0:40:27.624
J: So, for example, they told us, you[br]should only use that voting software in a
0:40:27.624,0:40:31.662
secure environment like in an[br]administrational network. However, we
0:40:31.662,0:40:35.890
don't really believe that this is a good[br]solution.
0:40:35.890,0:40:39.563
T: Exactly. And we are not very happy[br]about this proposal, because we have two
0:40:39.563,0:40:44.645
problems that still arise, even if it's in[br]a secure environment. First of all, an
0:40:44.645,0:40:50.325
administrative PC could still be infected[br]with some malware or it could be
0:40:50.325,0:40:55.583
manipulated before the election takes[br]place. And in the second hand, we have
0:40:55.583,0:40:59.988
this bug with the broken access control,[br]you remember. And even if you would have
0:40:59.988,0:41:05.130
been in the secure environment, this bug[br]would have been totally worked and you
0:41:05.130,0:41:09.303
could have completely deleted all data[br]work or reopened elections or something
0:41:09.303,0:41:12.260
like this.[br]J: But we are still quite happy that they
0:41:12.260,0:41:17.833
took us seriously, because they even have[br]announced updates. So, for example, they
0:41:17.833,0:41:23.090
wrote us that they are planning on adding[br]XSRF tokens for the pages where we found
0:41:23.090,0:41:28.302
cross-site vulnerabilities. So that's[br]already a good step into the right
0:41:28.302,0:41:35.020
direction. So now let's summarize what we[br]have presented today. So first of all, we
0:41:35.020,0:41:40.408
discovered several problematic aspects[br]in the concept and its practical
0:41:40.408,0:41:45.241
implementation. So, first of all, the[br]entire voting system, it's running on
0:41:45.241,0:41:50.384
untrustworthy computer systems. So it[br]could have been manipulated beforehand.
0:41:50.384,0:41:56.055
They could have malware on them or they[br]just could not function correctly. So
0:41:56.055,0:42:00.638
that's already very problematic from the[br]beginning, because we have no underlying
0:42:00.638,0:42:05.946
trust that we can put into those systems[br]and we are using them to count out our
0:42:05.946,0:42:11.702
votes, to count out the entire election.[br]So what's even more is, that even if they
0:42:11.702,0:42:19.430
use the software and the PC, that lies[br]beyond it, is secure, it still has not
0:42:19.430,0:42:25.326
enough transparency. It's very hard to[br]understand what the software is exactly
0:42:25.326,0:42:31.001
doing and how it is doing this. So, I[br]cannot really understand how does it come
0:42:31.001,0:42:36.034
to its result. Please keep in mind, that[br]we have almost 600 candidates and several
0:42:36.034,0:42:42.445
hundreds of ballots that have all to be[br]input into that computer system and then
0:42:42.445,0:42:47.504
some magic happens and it spits out its[br]result. So, then we just have to take this
0:42:47.504,0:42:53.417
result, because it's just impossible to[br]check, if really each vote has been
0:42:53.417,0:42:57.822
counted correctly or is there anything[br]strange has happened or any manipulation
0:42:57.822,0:43:00.619
took place.[br]T: And this is also possible, because we
0:43:00.619,0:43:07.262
found lots of vulnerable software and not[br]just the system security was affected, but
0:43:07.262,0:43:12.208
it was also absolutely possible to[br]manipulate the whole election from very
0:43:12.208,0:43:19.954
many parts in the network. And this leads[br]us to conclude that these elections are at
0:43:19.954,0:43:24.900
a high risk with this technology.[br]J: So, and that is the reason that we want
0:43:24.900,0:43:31.125
you as election worker. The more eyes are[br]looking at the election, the more secure
0:43:31.125,0:43:35.539
it becomes. And if you are interested in[br]becoming an election worker, just get into
0:43:35.539,0:43:40.212
contact with the local administration.[br]They are always very happy to have
0:43:40.212,0:43:45.222
volunteers, who want to take part as[br]election workers. So and for my personal
0:43:45.222,0:43:49.961
experience, I'm doing this for several[br]years now. It's also a lot of fun. You get
0:43:49.961,0:43:54.727
into contact with a lot of people. So I[br]enjoyed this a lot and I can just
0:43:54.727,0:44:00.790
recommended it and this is a good way, how[br]everyone of us can support the democracy
0:44:00.790,0:44:05.273
in their country.[br]T: So, to conclude our talk, we found out
0:44:05.273,0:44:11.593
that security in this technology is really[br]bad and that's not all of it.
0:44:11.593,0:44:16.986
J: So, this is just the tip of the[br]iceberg, because we look only at one of
0:44:16.986,0:44:21.965
the solutions that is available for vote[br]counting. And this was also in a special
0:44:21.965,0:44:28.086
configuration. So what is even more[br]difficult to see is, what happens behind
0:44:28.086,0:44:34.597
all the stuff we have seen today, because,[br]when we export the data and bring it to
0:44:34.597,0:44:40.264
the central administration and the data is[br]imported and uploaded, so where does all
0:44:40.264,0:44:44.910
this data go, where are all the results[br]from all this data from all the polling
0:44:44.910,0:44:49.603
stations are summarized? We don't know[br]that yet, how this works. We don't have
0:44:49.603,0:44:53.868
the software, that we can analyze. So[br]there's still a lot of work that has to be
0:44:53.868,0:44:59.355
done. Here to really check the entire[br]system, we just took a look at a very
0:44:59.355,0:45:04.149
small portion and that is just the vote[br]counting software here.
0:45:04.149,0:45:08.647
T: Next, we were very shocked that this[br]information, that vote counting is already
0:45:08.647,0:45:14.458
shifted to software, is not publicly[br]known. And this is also why we we created
0:45:14.458,0:45:19.947
this talk today as this is an information,[br]that is crucial for the democracy, that
0:45:19.947,0:45:26.788
there is already this software in use and[br]it is not really secure. So this was a big
0:45:26.788,0:45:33.530
thing for us to keep bringing it out to[br]the people.
0:45:33.530,0:45:37.829
J: So and one other thing is, everything[br]that we have seen today is entirely legal,
0:45:37.829,0:45:44.312
because at least in Bavaria, we don't have[br]any rules or any laws against the use of
0:45:44.312,0:45:50.098
unsecure computer systems, of unsecure[br]vote counting software. So, as we've seen
0:45:50.098,0:45:55.611
in the beginning, we only have very rough[br]legal guidelines that says, well, you can
0:45:55.611,0:46:00.322
just use computers for vote counting, but[br]we need stricter guidelines here, because
0:46:00.322,0:46:06.794
it cannot continue as we've seen it today[br]and in other states in Germany there is
0:46:06.794,0:46:12.304
sometimes something like, let's say,[br]guidelines or even certification process
0:46:12.304,0:46:18.347
for such digital software. But in most[br]states that I had a look at, there are no
0:46:18.347,0:46:23.780
rules at all and nothing that should[br]continue in the next years that way.
0:46:23.780,0:46:29.963
T: Additionally, in the end, before any of[br]this software to electronically count the
0:46:29.963,0:46:36.671
votes should go live, unbiased tests for[br]everyone should be available to prove
0:46:36.671,0:46:41.965
themselves, that this software is secure[br]and this software is doing what it's
0:46:41.965,0:46:46.530
promising to us. Because it is directly[br]influencing our democracy. And if this
0:46:46.530,0:46:52.002
software is manipulated, it manipulates[br]our voting, our election and our
0:46:52.002,0:46:56.333
democracy. So in the end, we can just[br]leave you with two questions.
0:46:56.333,0:47:01.158
T: How much digital support is required?[br]J: And how much is tolerable?
0:47:01.158,0:47:18.528
No Audio
0:47:18.528,0:47:25.709
Herald: Thank you very much for the[br]interesting talk, Johannes and Tobias. And
0:47:25.709,0:47:30.136
thank you very much for your work on the[br]topic. I hope you do have time for a
0:47:30.136,0:47:36.095
little Q&A. We have quite a few questions,[br]actually.
0:47:36.095,0:47:39.244
J: Sure.[br]M: All right. So the first question from
0:47:39.244,0:47:45.468
the Internet is, is there any suspicion[br]that these vulnerabilities have been
0:47:45.468,0:47:49.404
actively used?[br]J: Well, it's very hard to tell. So, at
0:47:49.404,0:47:57.617
least for the town that I am from, I did[br]not notice any special occurrences there.
0:47:57.617,0:48:04.994
So, however, I don't have an overview of[br]entire Bavaria, so, that's quite hard to
0:48:04.994,0:48:09.707
tell. I think it's even impossible to[br]tell, if there were any manipulation so
0:48:09.707,0:48:15.395
far. So, unfortunately, we cannot say[br]that.
0:48:15.395,0:48:20.292
T: Additionally, we are just at one place[br]in this whole system. So we don't have an
0:48:20.292,0:48:25.328
overview, if there was any mismatching[br]numbers or any other influences that
0:48:25.328,0:48:30.702
happened, but that we didn't see at the[br]moment, because we were just at one
0:48:30.702,0:48:35.589
position in the system, at one station [br]of the election.
0:48:35.589,0:48:41.470
M: OK, thank you for the answer. Ah, do[br]you believe that it is possible to have a
0:48:41.470,0:48:46.300
digital ballot that is as secure and[br]trustworthy as physical or paper based
0:48:46.300,0:48:51.560
voting is?[br]J: Well, in my opinion, that's not
0:48:51.560,0:48:56.560
possible, if you want to have the same[br]sort of transparency that we have in the
0:48:56.560,0:49:02.010
paper based voting system, because, when[br]we have paper based voting, we can just go
0:49:02.010,0:49:07.470
into the voting room and watch what's[br]going on there. We can see the ballots
0:49:07.470,0:49:12.690
that are handed in, the ballots that come[br]out of the box. Then, they are counted,
0:49:12.690,0:49:17.990
are summed up. I can really try to find[br]out what's going on there. I can have a
0:49:17.990,0:49:24.220
look at that. Understand what people are[br]doing there, but at the moment, that we
0:49:24.220,0:49:29.840
have only a digital vote, I cannot really[br]find out, if the computer is doing the
0:49:29.840,0:49:34.190
right thing, if there were some[br]manipulations. So, in terms of
0:49:34.190,0:49:40.830
transparency, I don't think it is possible[br]in the same. Yeah, in the same way as the
0:49:40.830,0:49:47.910
paper based ballots, for example.[br]T: I would have to add to this, if there
0:49:47.910,0:49:53.750
would be the possibility to get the same[br]traceability and visibility that you can
0:49:53.750,0:50:00.240
always see which results came from, from[br]which position. And if they are signed
0:50:00.240,0:50:07.260
very transparent, then it may be possible[br]in any future, but not with any kind of
0:50:07.260,0:50:16.299
this software, we saw there.[br]M: All right. Thank you. Do you, by any
0:50:16.299,0:50:21.552
chance, know which states in Germany use[br]these software OK.VOTE as far?
0:50:21.552,0:50:29.257
T: We cannot directly say which states[br]actively use them, because we only took
0:50:29.257,0:50:34.249
place in elections here in Munich or[br]Bavaria. But, we can tell, that we found
0:50:34.249,0:50:40.130
very much hints in the source code that[br]they were also used in, for example,
0:50:40.130,0:50:47.481
Hamburg, Bremen, Hessen or Rheinland-[br]Pfalz, but we don't know if they were
0:50:47.481,0:50:54.180
already used there or if it's planned to[br]be used there or did they already used
0:50:54.180,0:50:59.010
them in the past elections and decided[br]against them for future ones. We don't
0:50:59.010,0:51:03.330
know about this, exactly.[br]M: OK, maybe we can stay for a second on
0:51:03.330,0:51:11.190
your job as an election worker. The[br]process of manually entering data into the
0:51:11.190,0:51:16.610
system, is there a process for this? Do[br]you have an idea on the risk of this part
0:51:16.610,0:51:21.069
here?[br]J: Yes. So, it's basically the thing, that
0:51:21.069,0:51:26.401
they are at least two or three people[br]sitting in front of each computer and then
0:51:26.401,0:51:30.930
they are entering each ballot. So people[br]are really cross checking that the ballot
0:51:30.930,0:51:36.180
has been entered correctly. So, it's like[br]one person has the ballot in front of him
0:51:36.180,0:51:42.290
or her and the other person reads the[br]votes and the other person types it in and
0:51:42.290,0:51:47.645
they are cross checking each other. So,[br]that there isn't any error doing typing in
0:51:47.645,0:51:54.250
those election results in the computer.[br]M: All right. Thank you for the
0:51:54.250,0:52:00.300
elaboration. Someone is asking, how the[br]system's connected to the Internet or some
0:52:00.300,0:52:05.870
other network of the understanding of the[br]talk was correctly received by that
0:52:05.870,0:52:09.740
person. The results are written to some[br]physical medium which is turned into
0:52:09.740,0:52:15.560
transmit the results. So you sense[br]something physically. So, why care for the
0:52:15.560,0:52:20.305
Windows version or the, what is running on[br]these machines? Is that correct
0:52:20.305,0:52:24.941
understanding?[br]J: Well, the problem with that is, that it
0:52:24.941,0:52:30.011
depends on the local administration, how[br]they set up their computer systems. So, I
0:52:30.011,0:52:36.242
also read this in a chat here. Someone has[br]written, that they had their voting
0:52:36.242,0:52:44.530
software in a, yeah, in a very limited[br]network connectivity. So, the computer was
0:52:44.530,0:52:49.960
not connected to the Internet. However, it[br]depends very on the administration and on
0:52:49.960,0:52:54.666
the computer network that is being used[br]there. So, it is entirely possible that
0:52:54.666,0:52:59.902
computers are connected to the Internet,[br]because there are no guidelines on how
0:52:59.902,0:53:06.480
these computers are allowed to be set up.[br]So, I cannot fully exclude this. So, and
0:53:06.480,0:53:11.370
if someone, for example, just enables the[br]wireless network or connects to some
0:53:11.370,0:53:16.834
unsecured hotspot, they are connected[br]then. So, it's it's hard to tell here, but
0:53:16.834,0:53:22.640
I would not exclude this possibility.[br]T: To extend this answer. We even try to
0:53:22.640,0:53:27.490
find out, if there's any software side[br]protection that checks, if there is any
0:53:27.490,0:53:31.189
internet connection is present and then[br]would deny this voting system. But, there
0:53:31.189,0:53:36.480
wasn't or at least we couldn't find one.[br]So even if the administration was not
0:53:36.480,0:53:44.020
advised, if these PCs should be[br]disconnected from the network. There isn't
0:53:44.020,0:53:47.914
even a security mechanism in place, that[br]would check this and stop it or even show
0:53:47.914,0:53:51.860
a warning, that this is connected and they[br]should be disconnected from the Internet
0:53:51.860,0:53:59.700
before the counting can begin.[br]M: Interesting. All right. We have one
0:53:59.700,0:54:03.780
message on the IRC, from someone who[br]worked with this particular piece of
0:54:03.780,0:54:09.540
software in demo mode by themselves,[br]obviously. And the question they have, is:
0:54:09.540,0:54:17.890
Did you notice the possibility to enter a[br]negative votes for a candidate? So saying
0:54:17.890,0:54:25.760
minus two votes, for instance.[br]J: Well, that's difficult to tell. I
0:54:25.760,0:54:31.200
thought about, if this is possible, so[br]perhaps you might have to manipulate the
0:54:31.200,0:54:37.360
database directly. So I'm not entirely[br]sure. I'm not sure, if I tried this out
0:54:37.360,0:54:43.600
this one. So, but however, as soon as I[br]have a data, as I have database access,
0:54:43.600,0:54:49.920
it's entirely possible to manipulate[br]anything. So. Well, we could try this out
0:54:49.920,0:54:57.520
again. However, I don't think that changes[br]much in our result. So, yeah, that's
0:54:57.520,0:55:03.040
interesting questions of I cannot answer[br]this right now, so I'm not sure, you Tobi,
0:55:03.040,0:55:10.080
have you tried out something like that?[br]T: We've tried manipulating some already
0:55:10.080,0:55:17.040
submitted votes, but I think, this was not[br]really possible. However, as you showed,
0:55:17.040,0:55:22.640
when you export the data and import into[br]the main PC, the votes that were already
0:55:22.640,0:55:28.080
in place, possibly by an attacker, would[br]then discard the newly imported votes. So,
0:55:28.080,0:55:34.238
this would probably replace this data and[br]these votes, but via the Web interface, I
0:55:34.238,0:55:38.988
think it was not possible. However, we[br]found the enough vulnerabilities with
0:55:38.988,0:55:43.512
database access that you could do it by[br]this way, if you want to.
0:55:43.512,0:55:50.524
M: All right. Thank you for your[br]explanation. Out of pure curiosity, people
0:55:50.524,0:55:55.984
ask, how did you get access to the software[br]in the first place? To start your analysis?
0:55:55.984,0:56:00.514
J: Well, that's a good question here,[br]because, theres a nice story behind that.
0:56:00.514,0:56:06.304
So, I was election worker and I was[br]supporting setting up a system and doing
0:56:06.304,0:56:12.470
some IT support in the evening. And at[br]some point, we tried to merge our results.
0:56:12.470,0:56:17.297
So we exported the results from one[br]computer to move them to the other one.
0:56:17.297,0:56:22.377
However, the import failed, because, there[br]is some artificial limitation in the
0:56:22.377,0:56:27.616
software. So, as soon as your export files[br]are larger than 10 megabytes, they cannot
0:56:27.616,0:56:33.667
be imported anymore. So this happens quite[br]quickly, when you have a few hundreds of
0:56:33.667,0:56:38.479
votes, of few hundreds of ballots and then[br]the import doesn't work anymore. And I had
0:56:38.479,0:56:42.106
a look at this file, and that was just a[br]JSON file with a lot of whitespace. So, I
0:56:42.106,0:56:46.750
copied all this stuff to my computer to[br]fix this. And there was also later on, a
0:56:46.750,0:56:51.251
software fix that was published by the[br]software vendor. However, then I had the
0:56:51.251,0:56:56.466
software on my computer, just because I[br]wanted to fix this election. And it was
0:56:56.466,0:57:00.328
very late at night. And I returned home[br]and I noticed, oh, I still have that
0:57:00.328,0:57:06.867
software on my computer. Let's have a look[br]at this. So, yeah, it was just by chance.
0:57:06.867,0:57:11.943
So, I tried to fix something, got all the[br]software on my PC and then I had it ready
0:57:11.943,0:57:18.028
to analyze even with some data on that, so[br]that I really knew how this works in
0:57:18.028,0:57:23.840
practice. And yes, but if someone would[br]try to gain access to that software,
0:57:23.840,0:57:28.945
that's quite simple, because they could[br]just restore the deleted data from one of
0:57:28.945,0:57:33.268
the computers that are in the schools.[br]Perhaps, someone doesn't even delete the
0:57:33.268,0:57:38.382
election software from their computers, in[br]your school, or some person could just
0:57:38.382,0:57:43.292
steal one of the USB sticks, that have[br]been used for installation. So, I don't
0:57:43.292,0:57:53.591
even think, that would be noticed then.[br]M: Interesting, indeed, you mentioned in
0:57:53.591,0:57:58.920
your talk, that the software is certified[br]by the BSI, that they claim to be
0:57:58.920,0:58:02.673
certified by the Open Web Application[br]Security project, but how could such a
0:58:02.673,0:58:07.901
broken system can be certified by both[br]parties in the first place? And what's
0:58:07.901,0:58:12.119
wrong with the certification process? Yes,[br]this obviously happened. I mean, like, why
0:58:12.119,0:58:19.219
not use a certified. What do we do[br]certified in the first place, if it gets
0:58:19.219,0:58:24.377
certified, even if it's broken?[br]T: I think the first point about this is,
0:58:24.377,0:58:28.158
that we already mentioned in the talk,[br]that there are no legal requirements. You
0:58:28.158,0:58:32.700
don't need any certification, that this[br]software can be used in our voting, in our
0:58:32.700,0:58:38.233
elections here in Germany or in most parts[br]of Germany. And additionally, this
0:58:38.233,0:58:46.323
screenshot we show with OWASP and the BSI[br]was just the promotion of the AKDB for
0:58:46.323,0:58:52.179
their software, but I think there was no[br]real certification attached. So, we don't
0:58:52.179,0:58:57.930
know if we the BSI ever saw this software for [br]real or if they just put it on there and said,
0:58:57.930,0:59:02.728
yeah, BSI certificate certified or with[br]the BSI standards in mind, like they
0:59:02.728,0:59:07.234
already have already the IT Grundschutz[br]and they maybe tried to implement, after
0:59:07.234,0:59:15.093
this system architecture. But the BSI[br]never checked on it. So, I don't think
0:59:15.093,0:59:18.818
there's any real certification for the[br]software.
0:59:18.818,0:59:23.035
J: So, just to add a few details here,[br]that's not really a certification, that
0:59:23.035,0:59:28.555
they just said that they follow the BSI[br]and OWASP guidelines. I think, that was
0:59:28.555,0:59:32.653
also the wording that was used on the[br]website. So, theres no real certification
0:59:32.653,0:59:39.494
behind that, so far.[br]M: Thank you for the answer. Do you know
0:59:39.494,0:59:46.197
by chance, how the municipalities[br]published the election results?
0:59:46.197,0:59:53.581
J: Well, I don't know in detail how it[br]works. So, when we handed in our election
0:59:53.581,0:59:59.802
results, they got uploaded onto some other[br]software. And that's also the end that
0:59:59.802,1:00:05.692
I've seen. So end up in the computer[br]system and they are electronically
1:00:05.692,1:00:10.348
transmitted. And that, first of all, it[br]generates a preliminary file. And finally,
1:00:10.348,1:00:15.767
that's a final result generated by it.[br]However, I don't really know how this
1:00:15.767,1:00:20.243
works, but the election results that were[br]generated, with OK.VOTE are definitely
1:00:20.243,1:00:28.562
going into the final result. So, perhaps[br]there's also some paper based protocol
1:00:28.562,1:00:33.330
between them. I don't really know if[br]they're using the data that's in the
1:00:33.330,1:00:38.126
computer or the data that is on the paper.[br]But, however, it doesn't change very much
1:00:38.126,1:00:46.112
here.[br]M: OK, on. Coming over here a bit, the
1:00:46.112,1:00:50.830
last question would be: What, in your[br]experience, how practical and expensive
1:00:50.830,1:00:55.964
are hand recounts here and did you observe[br]these?
1:00:55.964,1:01:01.039
T: I think, this is very different from[br]election to election and from city to
1:01:01.039,1:01:07.167
city, if this is a rather small town, you[br]could probably easily reelect all this or
1:01:07.167,1:01:13.473
all the votes and recount the votes. But,[br]if this is a big city like Munich, for
1:01:13.473,1:01:20.911
example, with millions of votes, and you[br]would have to recount this, this would
1:01:20.911,1:01:26.076
particularly delay the voting or the[br]results pretty much. And this could have
1:01:26.076,1:01:31.071
really bad influences, if this would[br]happen. That software has shown that kind
1:01:31.071,1:01:36.890
of manipulation has happened and they had[br]to recount all the stuff by hand again.
1:01:36.890,1:01:42.242
J: So, counting this by hand is, indeed,[br]very, very effortful, because they have
1:01:42.242,1:01:48.703
like 70 votes per ballot. And even summing[br]up all that is still error prone, if it's
1:01:48.703,1:01:54.660
done by hand. So, it's difficult to do[br]that. And up to my knowledge, it's not
1:01:54.660,1:02:00.854
generally recounted after the election.[br]So, I try to find something in the
1:02:00.854,1:02:07.384
Internet regarding that. And I just found[br]some PDF, that they said, well, it's not
1:02:07.384,1:02:15.467
feasible to recount all the election[br]results and all the ballots. So, that's
1:02:15.467,1:02:21.781
just rather do a meter level check on: is[br]the protocol complete? How about the
1:02:21.781,1:02:26.894
special ballots, that were not really[br]clear and so on? But it's not like, every
1:02:26.894,1:02:31.733
ballot will be recounted, as far as I[br]understand.
1:02:31.733,1:02:37.880
M: OK. Oh, thank you very much Tobias an[br]Johannes for answering all the questions.
1:02:37.880,1:02:41.683
Thank you again for your talk.[br]J: Thank you.
1:02:41.683,1:02:42.403
M: Thank you.
1:02:42.403,1:03:10.210
rC3 postroll music
1:03:10.210,1:03:22.140
Subtitles created by c3subtitles.de[br]in the year 2020. Join, and help us!